Cisco Cisco Identity Services Engine Software Technical Manual
802.1x DACL, Per-User ACL, Filter-ID, and Device
Tracking Behavior
Tracking Behavior
Document ID: 119374
Contributed by Michal Garcarz, Piotr Kupisiewicz, and Roman
Machulik, Cisco TAC Engineers.
Nov 24, 2015
Machulik, Cisco TAC Engineers.
Nov 24, 2015
Contents
Introduction
Device Tracking Theory
Device Tracking Configuration
Device Tracking Tests
Debugs From Version 12.2.33, IP Device Tracking Updated by DHCP Snooping
Probe and ARP Snooping
IP Device Tracking for Version 12.2.55 - Hidden Command
IP Device Tracking for Version 12.2.55 - Static IP Example
IP Device Tracking for Version 15.x
IP Device Tracking for Cisco IOS-XE
Device Tracking Theory
Device Tracking Configuration
Device Tracking Tests
Debugs From Version 12.2.33, IP Device Tracking Updated by DHCP Snooping
Probe and ARP Snooping
IP Device Tracking for Version 12.2.55 - Hidden Command
IP Device Tracking for Version 12.2.55 - Static IP Example
IP Device Tracking for Version 15.x
IP Device Tracking for Cisco IOS-XE
®
IP Device Tracking with 802.1x and DACL for Version 12.2.55
IP Device Tracking with 802.1x and DACL for Version 15.x
Specific ACL Entry
Control-Direction
IP Device Tracking with 802.1x and Per-User ACL for Version 15.x
Difference when Compared to the DACL
IP Device Tracking with 802.1x and Filter-ID ACL for Version 15.x
IP Device Tracking - Defaults and Best Practices
Interface ACL Rewrite for Version 15.x
Default ACL Used for 802.1x
Open Mode
When the Interface ACL is Mandatory
DACL on 4500/6500
MAC Address Status for 802.1x
Troubleshoot
Related Information
IP Device Tracking with 802.1x and DACL for Version 15.x
Specific ACL Entry
Control-Direction
IP Device Tracking with 802.1x and Per-User ACL for Version 15.x
Difference when Compared to the DACL
IP Device Tracking with 802.1x and Filter-ID ACL for Version 15.x
IP Device Tracking - Defaults and Best Practices
Interface ACL Rewrite for Version 15.x
Default ACL Used for 802.1x
Open Mode
When the Interface ACL is Mandatory
DACL on 4500/6500
MAC Address Status for 802.1x
Troubleshoot
Related Information
Introduction
This document describes how the IP device tracking feature works, which includes what the triggers are to
add and remove a host. Also, the impact of device tracking on the 802.1x Downloadable Access Control List
(DACL) is explained. The behavior changes between versions and platforms.
add and remove a host. Also, the impact of device tracking on the 802.1x Downloadable Access Control List
(DACL) is explained. The behavior changes between versions and platforms.
The second part of the document focuses on the Access Control List (ACL) returned by the Authentication,
Authorization, and Accounting (AAA) server and applied to the 802.1x session. A comparison between the
DACL, Per-User ACL and Filter-ID ACL is presented. Also, some caveats in regards to the ACL rewrite and
default ACL are discussed.
Authorization, and Accounting (AAA) server and applied to the 802.1x session. A comparison between the
DACL, Per-User ACL and Filter-ID ACL is presented. Also, some caveats in regards to the ACL rewrite and
default ACL are discussed.